In the week that support for Windows XP ended, the tech community has been engulfed by security woes.
The cause was not Microsoft’s ancient operating system, but, as discussed in the video below, open source software run by most of the major web giants on services that are used by millions of individuals: OpenSSL.
The open secure sockets layer (SSL) technology is used on two-thirds of web servers and is supposed to help protect web users by encrypting traffic. This is represented by the ‘S’ in HTTPS connections.
However, on Tuesday Finnish firm Codenomicon revealed a programming error, dubbed Heartbleed, which meant the OpenSSL technology was inherently not secure and had been for more than two years. Anyone aware of the fault could have exploited it without anyone knowing.
The fallout was swift:
- Web firms scrambled to fix the flaws, with web giants Facebook, Google, Amazon and Twitter among those rushing to protect their systems and reassure users all was well.
- Security guru Bruce Schneier lamented the errors as ‘catastrophic’ and speculated that it could be yet another example of government spy agencies infiltrating key tech standards to hoover up web user data.
- Meanwhile the man responsible for the flaw – a German coder who submitted the revision for OpenSSL at midnight on New Year’s Eve 2011 – said it was an honest mistake and not a malicious deed.
Web users were urged to change their passwords on, basically, all sites, in case criminals got hold of their details. Of course, changing every single password online is no simple task, and some questioned whether this would do much good.
Stephen Bonner, a partner in KPMG’s Information Protection and Business Resilience team, said: "Too much credence is being given to the idea that the Heartbleed bug can be beaten if customers change the passwords they use to shop and communicate online."
Instead, he said firms must ensure they apply the OpenSSL patch to fix the problem across all areas of the networks and endpoints. Only then will changing passwords have any benefit.
“It’s only when every gateway is guarded with the relevant patch that customer password changes will be effective,” he noted. "Having different passwords on each service and changing them on a regular basis makes good sense, but the rush to urge immediate action creates a sense of panic that helps no one."
Nonetheless, numerous security vendors have issued the 'change your passwords' mantra, suggesting there must be something in this, even if it is only peace of mind for web users that they have done all they can to avoid a broken heart.
Open source anguish
Perhaps the bigger issue with Heartbleed is the damage it will cause to the open source community.
For such a major error to have lain dormant within a key open source piece of software is a serious blow to the claims made that open source offered enhanced security due to the number of people involved in its ongoing management.
The German coder who caused the bug, Robin Seggelmann, dismissed such claims, though, arguing (with rather circular logic) that it was only because of the open source nature of OpenSSL that the issue was found. "I don’t see it as a failure of open source. On the contrary, the publicly accessible code made it possible that the error has been discovered and published," he said.
However, others were less than impressed. Mark Brown, director of Information Security Practice at EY said: “The idea behind open source is that issues like these are resolved by the developer community at an early stage. A bug like this should never have got this far and it fundamentally undermines trust in the system."
Overall, it is unlikely that the Heartbleed bug – like the PRISM scandal – will quench the world's insatiable appetite for key web services including Facebook, Google and Twitter. If it led to a few more secure and random passwords in use, well every cloud has a silver lining.
Meanwhile, in the long-running debate between the relative merits of open source and closed software systems, the biggest surprise is that in the week of XP's demise it is the open source side facing the biggest problems.
BT wants to make the public switched telephone network history within eight years
Personal data being purloined by third parties via Facebook Login API
MacOS and iOS are better off apart, says CEO Tim Cook
Or they'll no longer be entitled to updates and bug patches